" hipaa Archives - LuxSci

Posts Tagged ‘hipaa’

What is HIPAA-Compliant Email Marketing?

Tuesday, September 26th, 2023

If you are one of the 92% of Americans with an email address, you are likely familiar with email marketing. It is a tried and true marketing strategy that delivers a superior return on investment compared to other digital channels. However, when healthcare organizations want to utilize these strategies, out-of-the-box solutions are not a good fit. Healthcare organizations must utilize email marketing platforms specifically designed to meet HIPAA’s unique privacy and security requirements.

When Do You Need a HIPAA-Compliant Email Marketing Platform?

Healthcare organizations are required to use a HIPAA-compliant email marketing platform because their messages often contain electronic protected health information (ePHI). This includes information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable information includes identifiers like a patient’s name, address, birth date, email address, social security number, and more. By default, every email marketing communication includes the patient’s email address and is, therefore, individually identifiable. Not only does the definition of ePHI cover people’s past, present, and future health conditions, but it also includes treatment provisions and billing details. This information is often contained in email marketing messages.

While the law does not cover anonymous health details or individual identifiers sent by themselves, you must be careful and abide by HIPAA regulations when the two are brought together. You will need a HIPAA-compliant email marketing service whenever you send ePHI. As we will see, even if you think an email may not contain ePHI, it is still best to be cautious.

Types of HIPAA-Compliant Email Marketing Communications

An excellent example of an email blast that must comply with HIPAA is a newsletter sent to a clinic’s cancer patients. At first glance, the email doesn’t contain any specific PHI. It doesn’t mention Jane Smith’s chemotherapy treatments, other specific patients, or their medical information. However, upon closer look, it may violate HIPAA regulations.

Every email in this campaign contains a personal identifier- the patient’s email address. In this example, only cancer patients received the newsletter, which also tells you personal medical information. A hacker could infer that anyone who received this email has cancer, which is ePHI and protected under HIPAA. If you use a medical condition to create a segment of email recipients, the email campaign must comply with HIPAA.

Sometimes, it can be challenging to identify if an email contains ePHI. If you sent the same practice newsletter to a list of all current and former medical clinic patients, it may or may not contain ePHI. Even if the newsletter contained benign info about the practice’s operating hours or parking information, if the practice is centered around treating a specific condition like cancer or depression, it may be possible to infer information about the recipients regardless of the message.

There are a lot of gray areas, and it can be difficult to determine if an email contains PHI. We recommend using HIPAA-compliant email marketing for any promotional materials to reduce the risk of violations.

The Benefits of Using a HIPAA-Compliant Marketing Platform

After reading this, you may think the answer is to avoid sending PHI in email campaigns. However, by keeping your communications bland, generic, and broadly targeted, you miss out on significant opportunities to engage your patients.

Using a HIPAA-compliant email marketing solution, you can leverage ePHI to send much more effective messages. In the above example, cancer patients actively receiving treatment at your clinic are much more likely to be interested in your business updates. Targeted emails receive much higher open and click rates than those sent to a general list.

Results of leveraging PHI

Sending the right information to your patients at the right time is an effective patient engagement strategy. Think about it using an e-commerce example- when a retailer sends you product recommendations based on past purchases; they use your data to influence future purchasing decisions. By utilizing patient data to create highly relevant and personalized campaigns and offers, you receive a better return on investment in your efforts.

What is Required for HIPAA-Compliant Email Marketing?

Finding the right HIPAA-compliant email marketing platform can be challenging. Most of the common vendors aren’t HIPAA-compliant at all. Others claim compliance and will sign BAAs to protect your information at rest but still will not enable you to send PHI via email. Finding a provider that suits your business needs and protects the email messages requires careful vetting.

Generally speaking, a HIPAA-compliant email platform must meet three broad requirements:

  1. The vendor will sign a Business Associates Agreement that outlines how they will protect your data and what happens in case of a breach.
  2. The vendor protects the data at rest using appropriate storage encryption, access controls, and other security features.
  3. The vendor protects messages in transit using an appropriate level of encryption with the proper ciphers.

Thankfully, LuxSci’s Secure Marketing email platform has been designed to meet the healthcare industry’s unique needs. Our platform was built with both security and compliance at the forefront. With Secure Marketing, organizations can send fully HIPAA-compliant email marketing messages to the right patients at the right time and receive a better return on their marketing investment.

Is TLS Email Encryption Suitable for Compliance?

Tuesday, September 19th, 2023

This article discusses what types of email encryption are sufficient to comply with government regulations. TLS email encryption is a good option for many organizations that manage sensitive data. However, it does not protect data at rest. Each organization must perform a risk assessment to determine which encryption methods suit their legal requirements.

Read the rest of this post »

When Do Online Forms Need to Be HIPAA-Compliant?

Tuesday, August 22nd, 2023

When it comes to digital data collection, there is often a lot of uncertainty surrounding the HIPAA compliance requirements for online forms. We often have customers ask if their website forms need to be HIPAA-compliant.

The short answer is that securing patient data is always recommended. You never know what types of information individuals will volunteer in an online submission. It is always a good idea to prepare for the possibility of sensitive information being entered into an online form to build trust with your users.

person entering info into login form

Criteria for HIPAA-Compliant Online Forms

Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice on your particular situation.

HIPAA requires that all Protected Health Information (PHI) be secured to protect the privacy of the individuals identified in the PHI. If your form falls into both of the following categories, it must conform to HIPAA standards:

  1. You are a Covered Entity or Business Associate and,
  2. The form collects PHI.

Let’s look at the two criteria to determine if your forms need to be HIPAA-compliant.

1. Does HIPAA Apply to Your Organization?

HIPAA applies to your web form if your organization is a Covered Entity. It also applies if you are a Business Associate of a Covered Entity and collect data on their behalf.

HIPAA defines a Covered Entity as an organization that falls into one of the following categories:

  1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items by a prescription.
  2. Provider: A provider of medical or health services or any other person or organization who furnishes, bills, or is paid for health care.
  3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system, or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information.
  4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many organizations and government programs as health plans.

Covered Entities contract with Business Associates to process PHI on their behalf. In this scenario, a good example of a Business Associate is a website developer or marketing agency hired to create a website or application for a Covered Entity. They are responsible for protecting PHI on the website and must comply with HIPAA regulations.

2. Does the online form collect PHI?

So, HIPAA applies to your organization. Next, we must determine if a particular web form needs to be compliant. The second criterion is, does the form collect Protected Health Information?

What is ePHI?

ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:

  1. Past, present, or future physical or mental health
  2. Past, present, or future provisioning of healthcare
  3. Past, present, or future payment-related information for the provisioning of healthcare

“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 identifiers for an individual (listed below), and together with health information, they constitute PHI.

  • Name
  • Address (all geographic subdivisions smaller than the state, including street address, city, county, and zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

As you can see, a lot of data qualifies as “health information,” and just about every type of web form will collect individual identifiers. Even if your form doesn’t request health information, sometimes people will volunteer it to get faster responses. Covered entities are responsible for securing this data in compliance with HIPAA regulations. In many cases, it’s easier to make all online forms HIPAA-compliant rather than trying to lock them down to prevent the insecure transmission of health data.

Examples of HIPAA-Compliant Online Forms

Some online forms are explicitly designed to collect protected health information. Here are some examples of web forms that generally must be secured to meet HIPAA compliance standards:

  1. Appointment and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, requesting an appointment may imply information about “an individual’s past, present, or future physical or mental health or condition.”
  2. Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. These forms collect identifiable information about “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered in the collection of PHI (depending on the exact context of the site) because, while they are individually identifiable, they may not include or imply health information for that individual:

  1. Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
  2. Purchases of products that do not require a prescription: Purchasing a product does not imply who is to use it unless that product is restricted (e.g., via a prescription). Of course, this may also depend on whether you collect health information as part of the purchase for future marketing purposes.

Anything that identifies the person and relates to that person’s health or healthcare should be considered PHI and protected. It’s also important to note that as technology has advanced and online tracking has become ubiquitous, it’s possible to infer more about an individual and their health conditions indirectly. It is essential to proceed cautiously and recognize that even the smallest information you collect about a website user is part of a more extensive online profile.

Other industries can get away with not being secure. But why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything a website can do to make visitors more comfortable and secure will improve trust and conversions.

What About Consent for Insecure Transmission?

As a follow-up question, we are often asked if there can be a checkbox on the form that patients can click to consent to use an insecure, non-compliant form. Presumably, if they do not click, they cannot submit the form.

This practice is highly advised against and is almost certainly not HIPAA-compliant. You should consult with a lawyer to ensure it is okay if you have a compelling reason to use this method.

To understand why this is a bad idea, consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

  1. You and the patient agree that insecure transmission is okay,
  2. The patient has been appropriately advised of the security risks involved,
  3. The patient agrees in writing that insecure transmission is okay, and
  4. The option for HIPAA-compliant transmission is available by implication.

However, this overcomplicates the process. It is much simpler to have secure web forms by default. You will not need to provide waivers, keep track of who has opted in/out, and maintain two different submission options.

The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:

  1. Your insecure form has a clear section advising the users of the risks of submitting their data via this form.
  2. That warning is understandable to most laypeople without further explanation.
  3. They must check a box (or sign their name) to consent to the insecure form transmission.
  4. You may need to show that they understood and agreed to the risks and didn’t just click without reading.
  5. When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
  6. You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

You burden the end-user significantly by adding warnings and consent to online forms. No one wants to read through disclaimers and checkboxes before completing a submission on a general website form. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warnings, just simple, secure submission.

Conclusion: Set Up HIPAA-Compliant Online Forms Today

LuxSci’s Secure Form solution is designed to meet HIPAA compliance requirements for online data transmission and storage. Contact our sales team today to learn more about our options for secure online engagement.

HIPAA-Compliant Secure Email: Understanding Encryption

Tuesday, August 15th, 2023

Email encryption is an important topic to understand when evaluating HIPAA-compliant, secure email vendors. Encryption is an addressable standard for HIPAA compliance, but if you send sensitive information via email, encryption is the easiest way to meet the standard.

The two most common email encryption methods include SMTP TLS and Secure Portal Pick Up. This article will discuss their differences and guide users on selecting the right option for HIPAA-compliant secure email.

secure email sending

Read the rest of this post »

7 Essential Steps to Creating a HIPAA Website

Tuesday, August 8th, 2023

The recent focus on tracking pixels and analytics codes by enforcement agencies has many healthcare organizations reassessing their website security and compliance. As technology has evolved over the past thirty years, HIPAA rules have adapted to secure sensitive data. In this article, we review the requirements for HIPAA websites and what you need to do to ensure your website is compliant and secure.

healthcare website on laptop screen

Read the rest of this post »